24 Auditing Administrative and Run-time Events

In Oracle Access Manager, Oracle Security Token Service, and Oracle Fusion Middleware, auditing provides a measure of accountability and answers to the "who has done what and when" types of questions. Audit data can be used to create dashboards, compile historical data, and assess risks. Analyzing recorded audit data allows compliance officers to perform periodic reviews of compliance policies.

This chapter describes the administrative and run-time events that can be audited for Oracle Access Manager and Oracle Security Token Service. Configuring common auditing settings and validating your auditing configuration is the subject of this chapter. Analyzing and using audit data is outside the scope of this chapter.

Note:

Unless explicitly stated, information in this chapter is the same whether you are using Oracle Access Manager alone or with Oracle Security Token Service.

Prerequisites

Introduction to Auditing

Many businesses must now be able to audit identity information and user access on applications and devices. Compliance audits help an enterprise conform with regulatory requirements—Sarbanes-Oxley or the Health Insurance Portability and Accountability Act (HIPAA) are two examples.

Oracle Access Manager and Oracle Security Token Service use the Oracle Fusion Middleware Common Audit Framework to support auditing for a large number of user authentication and authorization run-time events, and administrative events (changes to the system). The Oracle Fusion Middleware Common Audit Framework provides uniform logging and exception handling and diagnostics for all audit events.

While auditing can be enabled or disabled, it is normally enabled in production environments. Auditing has minimal performance impact, and the information captured by auditing can be useful (even mission-critical).

Note:

Auditing for Oracle Access Manager 10g was based on OAM policies. However, auditing for Oracle Access Manager and Oracle Security Token Service is based on configuration parameters set in the Oracle Access Manager Console which enables data capture for a user or set of users.

Audit data can be written to either a single, centralized Oracle Database instance or to flat files. Regardless of where the audit record is stored, it contains a sequence of items that can be configured to meet particular requirements. The audit log file helps the audit administrator track errors and diagnose problems if the audit framework is not working properly.

Oracle Access Manager integrates with Oracle Business Intelligence Publisher, which provides a pre-defined set of compliance reports:

This section introduces auditing for Oracle Access Manager in the following topics:

About Oracle Access Manager Auditing Configuration

An Administrator controls certain auditing parameters using the Oracle Access Manager Console. This auditing configuration is recorded in the file oam-config.xml. Additional auditing configuration is required through the Common Audit Framework.

Note:

The audit configuration is part of oam-config.xml. OAM audit policies cannot be configured using Fusion Middleware Control. Oracle Access Manager does not use JPS infrastructure to configure the audit configuration. There are no WebLogic Scripting Tool (WLST) commands for Oracle Access Manager auditing.

Within the Oracle Access Manager Console, you can set the maximum log file and log directory size. Audit policies (known as Filter Presets in Oracle Access Manager) declare the types of events to be captured by the audit framework for particular components.

About Oracle Access Manager Audit Record Storage

By default, Oracle Access Manager records audit data to a file. However, administrators can change the configuration to log audit data to a database. Although the formats differ, audit data content is identical in both the flat file and the database.

Database logging implements the Common Auditing Framework across a range of Oracle Fusion Middleware products. The benefit is audit-function commonality at the platform level.

Note:

The preferred mode in production environments is writing audit records to a stand-alone RDBMS database for audit data only.

In production environments, Oracle recommends using a database audit store to provide scalability and high-availability for the Common Audit Framework. Audit data is cumulative and grows over time. Ideally this is a database for only audit data; not used by other applications.

To switch to a database as the permanent store for your audit records, you must first use the Repository Creation Utility (RCU) to create a database schema for audit data. The RCU seeds that database store with the schema required to store audit records in a database. After the schema is created, configuring a database audit store involves:

Creating a data source that points to the audit schema you created

Configuring the audit store to point to the data source

Figure 24-1 provides a simplified view of the audit architecture with a supported database. The Oracle Fusion Middleware Audit Framework schema for audit log tables is provided by the Repository Creation Utility (RCU), which must be run before you can log information to the database.

An independent audit loader process reads the flat log file and inserts records in the log table of the Oracle database. The audit store allows administrators to expose audit data with Oracle Business Intelligence Publisher using a variety of out-of-the-box reports.

About Audit Reports and Oracle Business Intelligence Publisher

The data in the database audit store is exposed through pre-defined reports in Oracle Business Intelligence Publisher. These reports allow you to drill down the audit data based on various criteria, such as user name, time range, application type, and execution context identifier (ECID).

Out-of-the-box, there are several sample audit reports available with Oracle Access Manager and accessible with Oracle Business Intelligence Publisher. You can also use Oracle Business Intelligence Publisher to create your own custom audit reports.

Oracle BI Enterprise Edition (Oracle BI EE) is a comprehensive set of enterprise business intelligence tools and infrastructure, including a scalable and efficient query and analysis server, an ad-hoc query and analysis tool, interactive dashboards, proactive intelligence and alerts, real-time predictive intelligence, and an enterprise reporting engine.Oracle BI EE is designed to bring greater business visibility and insight to a wide variety of users.

Oracle Access Manager Administrative Events You Can Audit

Administrative events are those generated when the Oracle Access Manager Console is used.

The Oracle Access Manager-specific administrative events that can be audited and the details captured in them are listed in Table 24-1. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

With Oracle Access Manager 11g, the administrator controls the amount and type of information that is logged by choosing a filter preset from the Audit Configuration tab on the OAM Server Common Properties page.

Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for Oracle Access Manager 11g.

Table 24-1 Oracle Access Manager Administrative Audit Events

Administrative Event

Event Data Include

Oracle Access Manager Console Login success/failure

User name

Remote IP

Roles

Authentication Policy Creation

Policy name

Authentication scheme details

Resource details

Policy type (authentication or authorization)

Authentication Policy Modification

Policy name

Authentication scheme details

Resource details

Policy type (authentication or authorization

Old Policy name

Old Authentication scheme details

Old Resource details

Authentication Policy Removal

Policy name

Authentication scheme details

Resource details

Policy type (authentication or authorization

Resource Creation

Resource name

URI

Operation

Resource type

Resource Modification

Resource name

URI

Operation

Resource type

Old Resource name

Old URI

Old Operation

Resource Removal

Resource name

URI

Operation

Resource type

Authentication Scheme Creation

Scheme name

Authentication modules

Level

Authentication Scheme Modification

Scheme name

Authentication modules

Level

Old Scheme name

Old Authentication modules

Old Level

Authentication Scheme Removal (Delete)

Scheme name

Authentication modules

Level

Response Creation

Response name

Response key

Data source

Response Type

Response Modification

Response name

Response key

Data source

Response Type

Old Response name

Old Response key

Old Data source

Response Removal (Delete)

Response name

Response key

Data source

Response Type

Partner Addition

Partner name

Partner ID

Partner URL

Logout URL

Partner Modification

Partner name

Partner ID

Partner URL

Logout URL

Old Partner name

Old Partner URL

Old Logout URL

Partner Removal

Partner name

Partner ID

Partner URL

Logout URL

Constraints creation

Constraint Name

Constraint type

Constraint data

Constraints Modification

Constraint Name

Constraint type

Constraint data

Old Constraint name

Old Constraint type

Old Constraint data

Constraints Removal

Constraint Name

Constraint type

Constraint data

Server Domain creation

Domain Name

Server Domain Modification

Domain Name

Old Domain Name

Server Domain Removal

Domain Name

Server configuration change

New details

Old details

Instance Name

Host Name

Application Name

User Name

Remote ID

Roles

Date and time

OAM Run-time Events You Can Audit

Run-time events are those generated by some of the events the Oracle Access Manager component engines issue when interacting with one another.

The run-time events that can be audited, when they are issued, and the details captured in them are listed in Table 24-2. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

With OAM 11g, the administrator controls the amount and type of information that is logged by choosing a filter preset from the Audit Configuration tab on the OAM Server Common Properties page.

Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for OAM 11g.

Table 24-2 OAM Run-time Audit Events

Run-time Event

Issued When

Event Details Include

Authentication Attempt

A user attempts to access a protected resource and the request arrives at the SSO server; this event might be followed by the events credential submit and authentication success or failure.

Remote IP

Resource ID

Partner ID

Resource ID

Authentication scheme ID

Authentication Policy ID

Authentication Success

A client submits credentials and credential validation is successful.

Remote IP

User Name

User DN

Resource ID

Authentication scheme ID

Authentication Policy ID

Partner ID

Authentication Failure

A client submits credentials and credential validation fails.

Remote IP

User Name

User DN

Resource ID

Authentication Scheme ID

Failure Error Code

Retry count

Authentication Policy ID

Partner ID

Session Creation

Authentication succeeds.

SSO Session ID

User Name

User DN

Remote IP

Resource ID

Authentication scheme ID

Authentication Policy ID

Session Destroy

Authentication succeeds.

SSO Session ID

User Name

User DN

Partner ID

Login success

A client finishes the login procedure and it is forwarded to the agent.

Remote IP

User Name

User DN

Authentication level

Resource ID

Authentication scheme ID

Authentication Policy ID

Partner ID

Login failure

A client fails to login; this event is issued only when all the retry authentication attempts allowed have failed or when the account is locked.

Remote IP

User Name

Authentication level

Resource ID

Authentication scheme ID

Authentication Policy ID

Partner ID

Logout success

A client finishes the logout procedure and is forwarded to the agent.

Remote IP

User DN

Authentication level

SSO Session ID

Partner ID

Logout failure

A client fails to logout.

Remote IP

User DN

SSO Session ID

Failure details

Partner ID

Credential Collection

A client is redirected to the credential collection page.

Remote IP

Resource Name

Resource ID

Authentication scheme ID

Authentication Policy ID

Credential Submit

A client submits credentials.

Remote IP

User Name

Resource ID

Authentication scheme ID

Authentication Policy ID

Authorization Success

A client has been authorized to access a resource.

Remote IP

User DN

Resource ID

Authorization Policy ID

Authorization Failure

A client has not been authorized to access a resource.

Remote IP

User DN

Resource ID

Authorization Policy ID

Server Start Up

The server starts up.

Date and time

Instance Name

Host Name

Application Name

User Name

Server Shut Down

The server shuts down.

Date and time

Instance Name

Host Name

Application Name

User Name

About Authentication Event Auditing

Auditing events during authentication can help administrators scrutinize security weaknesses in their systems. Information about users requesting authentication or brute force attacks can be stored in the file system or in a back-end database.

The events that an administrator can configure for auditing during authentication are:

Authentication success

Authentication failure

Create, modify, delete, or view Authentication Policy data

Information related to the user being authenticated include the following:

IP address

Browser type

User Login ID

Time of Access

Note:

Oracle recommends that you avoid auditing, logging, or tracing sensitive user attributes, such as user passwords.

Setting Up Auditing for Oracle Access Manager with Oracle Security Token Service

The following overview provides a list of the tasks that must be performed before you can perform auditing.

Setting Up the Audit Database Store

This topic provides an overview of the tasks required to create the audit database and extend the schema using the Repository Creation Utility (RCU). This task is required before you can audit events for Oracle Access Manager if you choose a database store for audit data.

Use the JNDI name of the datasource jdbc/AuditDB that points to the database that was set up in step 2 above

In the service instance specified in the domain file (DOMAIN_HOME/config/fmwconfig/jps-config.xml), enable database auditing by changing the value of the property audit.loader.repositoryType to DB. For example:

View reports from the following path: Reports/Oracle_Fusion_Middleware_Audit reports.

About the Auditing Configuration Section in Oracle Access Manager Console

Within Oracle Access Manager, certain Audit Configuration settings are accessible as Common Settings under the System Configuration. These settings are not required when you audit to a database. Figure 24-2 shows the Audit Configuration section of the Common Settings page.

The actual log directory cannot be configured using the Oracle Access Manager Console. It is the default directory for the Common Audit Framework audit loader. Changing the directory impacts the audit loader and is not supported.

The maximum size, in MBs, of the directory that contains audit output files. For example, assuming that the maximum file size is 10, a value of 100 for this parameter implies that the directory allows a maximum of 10 files. Once the maximum directory size is reached, the audit logging stops.

For example, a value of 100 specifies a maximum of 10 files if the file size is 10 MB. If the size exceeds this, the creation of audit logs stops.

This is configured using the max.DirSize property described in the configuration filejps-config.xml. This property controls the maximum size of a bus-stop directory for Java components as described in the Oracle Fusion Middleware Application Security Guide.

Maximum File Size

The maximum size, in MBs, of an audit log file. Once the size of a file reaches the maxi mum size, a new log file is created. For example, specifying 10 directs file rotation when the file size reaches 10 MB.

Defines the amount and type of information that is logged when the filter is enabled. The default value is Low.

All: captures and records all auditable OAM events

Low: captures and records a specific set of auditable OAM events

Medium: captures and records events covered by the Low setting plus a number of other auditable OAM events

None: no OAM events are captured and recorded

Events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for OAM 11g. Only items that are configured for auditing at the specified filter preset can be audited.

Users

Specifies the list of users whose actions are included only when the filter is enabled. All actions of the special users are audited regardless of the filter preset. Administrators can add, remove or edit special users from this table.